IETF Logo Mail Archive

Re: [Acme] Conflicting requirements for retrieving an ACME account that is already bound to an external account

Jacob Hoffman-Andrews <jsha@letsencrypt.org> Tue, 17 November 2020 20:23 UTC

Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8303A07E6 for <acme@ietfa.amsl.com>; Tue, 17 Nov 2020 12:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKbARpo0Bvdh for <acme@ietfa.amsl.com>; Tue, 17 Nov 2020 12:23:32 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949E23A07EA for <acme@ietf.org>; Tue, 17 Nov 2020 12:23:31 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id p12so16848672qtp.7 for <acme@ietf.org>; Tue, 17 Nov 2020 12:23:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kcyfoh4gGX9ObDultRUgs+d/wn64KifsIpULhOodEQA=; b=NnGOsfNVZuDIl1etLBu4SPny0QpREnNSPeFoEbhDcesgGhtBRkS4tUeg0M49cXHnwV XYlcoJysK8GNz4W1R0OXVvNx6XtNhMxQSjJyJCXDAGz0ItC0IvBJ9GxjvUkTyeFz1s24 sJWu17WzqyyMd2jXOBYguCCxV2Tm97mBR5l3Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kcyfoh4gGX9ObDultRUgs+d/wn64KifsIpULhOodEQA=; b=V/B31m+zpj0zZ+pVc0RAjV+jFxS0/kbyKuIULm9RQod1ouUxU9VZt9C1mmeLnYmsbG y1azU6QUAbbv9oYtmpFvZmv/X8ALinC2UUwtAc2Vd2UYvnyG8pEnNiECvKFmi+o7kVrD iV+zxdjWDsPWXyuwWcOb2FWvasIYyrdy25Mr8GZuV+K/KOcgA1/HENiLjPHh2WunbO8o GJD5HtUUUI9fhUM5KyiGZlOehel9QcWVyDdwPAb0JntHGO5+F9jXeXbwW5KIdBpoYzrO 9SSzqbLv8yR3FeX8MrJO2ft6zAhQ6lse4/oNsW+s3WK2e/uukuBBNKmOO9FjeECN8yS0 dXmw==
X-Gm-Message-State: AOAM530iz81UkO4skJu87UNE0HwvxJx92/rrBYzw6z+w9UNs8Xy4IZ5T OBVYdR8zmcLNX8MynOEG/pwRkC+d7Anl3jydfoDHPw==
X-Google-Smtp-Source: ABdhPJwAd4Qz+IWNbVV2ERXnfHyhG0QGNAX6zSJ7m56p2bYgtAq3N3WWGQmgsPx5C3QYErYacBSAXA3mxUqfp2OOGPM=
X-Received: by 2002:ac8:3797:: with SMTP id d23mr962762qtc.205.1605644610521; Tue, 17 Nov 2020 12:23:30 -0800 (PST)
MIME-Version: 1.0
References: <MW3PR17MB4122DD879FB24AEB6B856E28AAE80@MW3PR17MB4122.namprd17.prod.outlook.com>
In-Reply-To: <MW3PR17MB4122DD879FB24AEB6B856E28AAE80@MW3PR17MB4122.namprd17.prod.outlook.com>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Tue, 17 Nov 2020 12:23:04 -0800
Message-ID: <CAN3x4QngVMpuvUnxqj34XpDY3A0gUq7=G29o57nbVBxWz3+Y9A@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a560bd05b45344e8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/rwieiDldue3az6ZKb8plWvO9wFs>
Subject: Re: [Acme] Conflicting requirements for retrieving an ACME account that is already bound to an external account
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 20:23:33 -0000

I think this is the key bit:

>   - Since the server has not verified the binding, its response 'MUST NOT
reflect the "externalAccountBinding" field in the resulting account object'.

I understand "reflect" to mean "echo what the client sent." So I think it's
acceptable for the server to ignore the externalAccountBind field / not
re-verify it, and return an account object whose externalAccountBinding
field is set based on the contents of the CA's database.

> 1. A client should be permitted to omit "externalAccountBinding" from a
newAccount request when retrieving an existing account from a server that
requires external account binding.  (External account binding is a one-time
operation; as soon as an ACME account and an external account are bound
once, they're bound forever).
> 2. When a client does provide "externalAccountBinding" in a newAccount
request to retrieve an existing account from a server that requires
external account binding, the server should be required to verify that
binding and ensure that it links to the exact same external account to
which the ACME account is already bound.

I think an errata is not needed to make forward progress, but if you want
to do an errata for 1, I'd support it. I'm not enthusiastic about 2.

In general I think providing the option to look up an account by key was a
mistake. Clients already have to store one piece of state (the account
key), and asking them to store a second piece of state (the account URL) is
not onerous. Particularly in the case where the client is storing both an
account key and an external account binding, I think it's reasonable to ask
that the client store the account URL rather than add additional complexity
to the account-lookup part of the standard.

v2.23.0 | Report a Bug | By Email